* Hooks in clients? @ 2020-11-13 15:46 Sune Mølgaard 2020-11-13 15:50 ` Jason A. Donenfeld 2020-11-13 16:58 ` Nicholas Capo 0 siblings, 2 replies; 5+ messages in thread From: Sune Mølgaard @ 2020-11-13 15:46 UTC (permalink / raw) To: wireguard Hiya, I am looking towards deploying WireGuard as my primary VPN connection, and wonder a bit if the various clients (Android, wg-quick, whatever there is for macOS, iOS and Windows), could be made to include the possibility of calling external programs upon (re-)connections, in my case specifically for port knocking, but possibly useful for other purposes as well? In the cases of Android and iOS, I am a bit unsure about interaction with other apps, so maybe, to begin with, just built-in port knocking capabilities could be considered. Any thoughts? -- A video dry trample here madam ere help martyr doe diva -- http://doulogos.blogspot.com ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Hooks in clients? 2020-11-13 15:46 Hooks in clients? Sune Mølgaard @ 2020-11-13 15:50 ` Jason A. Donenfeld 2020-11-13 16:58 ` Nicholas Capo 1 sibling, 0 replies; 5+ messages in thread From: Jason A. Donenfeld @ 2020-11-13 15:50 UTC (permalink / raw) To: Sune Mølgaard; +Cc: WireGuard mailing list wg-quick-based clients have this, but the UI clients do not. However, for your use case, port knocking, I'd recommend getting rid of the port knocking. WireGuard is silent to unauthenticated packets, which means you don't need to port knock it. It was specifically made as a port knocking replacement. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Hooks in clients? 2020-11-13 15:46 Hooks in clients? Sune Mølgaard 2020-11-13 15:50 ` Jason A. Donenfeld @ 2020-11-13 16:58 ` Nicholas Capo 2020-11-14 9:55 ` Sune Mølgaard 1 sibling, 1 reply; 5+ messages in thread From: Nicholas Capo @ 2020-11-13 16:58 UTC (permalink / raw) To: Sune Mølgaard, wireguard On Fri, 2020-11-13 at 16:46 +0100, Sune Mølgaard wrote: > Hiya, > > I am looking towards deploying WireGuard as my primary VPN > connection, > and wonder a bit if the various clients (Android, wg-quick, whatever > there is for macOS, iOS and Windows), could be made to include the > possibility of calling external programs upon (re-)connections, in my > case specifically for port knocking, but possibly useful for other > purposes as well? > > In the cases of Android and iOS, I am a bit unsure about interaction > with other apps, so maybe, to begin with, just built-in port knocking > capabilities could be considered. > > Any thoughts? > In my experence there isn't really a case where the client gets disconnected (like a crash) and then needs to reconnect. For me the client always stays enabled, but if there is a problem at the remote end then packets don't go anywhere. In other words the traffic might get dropped by the remote (feels like no traffic *at all*), but I've never seen a situation where I was accedentially sending unencrypted traffic. Nicholas ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Hooks in clients? 2020-11-13 16:58 ` Nicholas Capo @ 2020-11-14 9:55 ` Sune Mølgaard 2020-11-14 10:02 ` Jason A. Donenfeld 0 siblings, 1 reply; 5+ messages in thread From: Sune Mølgaard @ 2020-11-14 9:55 UTC (permalink / raw) To: Nicholas Capo, wireguard On 13/11/2020 17.58, Nicholas Capo wrote: > On Fri, 2020-11-13 at 16:46 +0100, Sune Mølgaard wrote: >> Hiya, >> >> I am looking towards deploying WireGuard as my primary VPN >> connection, >> and wonder a bit if the various clients (Android, wg-quick, whatever >> there is for macOS, iOS and Windows), could be made to include the >> possibility of calling external programs upon (re-)connections, in my >> case specifically for port knocking, but possibly useful for other >> purposes as well? >> >> In the cases of Android and iOS, I am a bit unsure about interaction >> with other apps, so maybe, to begin with, just built-in port knocking >> capabilities could be considered. >> >> Any thoughts? >> > > In my experence there isn't really a case where the client gets > disconnected (like a crash) and then needs to reconnect. > For me the client always stays enabled, but if there is a problem at > the remote end then packets don't go anywhere. > > In other words the traffic might get dropped by the remote (feels like > no traffic *at all*), but I've never seen a situation where I was > accedentially sending unencrypted traffic. > > Nicholas > > > Hi Nicholas, Well, my worry was that if I used port knocking, then, since I also use fail2ban on the server, the client (phone specifically), would change IP-addresses, need to knock, or else get banned. But if I understand Jason correctly (thank you, Jason), even if we employ port knocking for a few other things, if we keep the WG port open, it will actually look closed, unless one actually has a legitimate client and client config. Is that understanding correct? -- Real programmers don't comment... What was hard to write should be hard to read. ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: Hooks in clients? 2020-11-14 9:55 ` Sune Mølgaard @ 2020-11-14 10:02 ` Jason A. Donenfeld 0 siblings, 0 replies; 5+ messages in thread From: Jason A. Donenfeld @ 2020-11-14 10:02 UTC (permalink / raw) To: Sune Mølgaard; +Cc: Nicholas Capo, wireguard On 11/14/20, Sune Mølgaard <sune@molgaard.org> wrote: > But if I understand Jason correctly (thank you, Jason), even if we > employ port knocking for a few other things, if we keep the WG port > open, it will actually look closed, unless one actually has a legitimate > client and client config. > > Is that understanding correct? That is correct. ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-11-14 10:03 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2020-11-13 15:46 Hooks in clients? Sune Mølgaard 2020-11-13 15:50 ` Jason A. Donenfeld 2020-11-13 16:58 ` Nicholas Capo 2020-11-14 9:55 ` Sune Mølgaard 2020-11-14 10:02 ` Jason A. Donenfeld
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).